ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SA usage for many proxy-id

2 weeks ago

Hello!

I´m using a SSG140 6.3.0r17.0 and a customer is asking to establish a VPN using Cisco ASA 5545. He provided me as a proxy id, 10 networks as his local IP and 15 addresses /32 that I´ll have to NAT my servers IP. As long as there is a security association for every proxy-id, in this scenario, is there a way set up a VPN that will not consume 10 x 15 SA?

Thank you in advance

Bruno

4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SA usage for many proxy-id

2 weeks ago

Hi Bruno, 

 

i hope you are doing great!

 

Please check the following KB:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16008&actp=METADATA&act=login&act=login 

 

Please read it all, i believe it contains what you need Smiley Happy

 

Pablo Restrepo

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SA usage for many proxy-id

2 weeks ago

Hi Pablo,

 

Thank you for your heply! I Hope you ar doing great too!

 

I understood from the KB that I can, for the same VPN “test” do the command below for each pair of local and remote IP.

set vpn test proxy-id local-ip 10.1.1.0/24 remote-ip 20.1.1.0/24 any

But since there is 15 local IP to each of the 10 remote, when I try the “get sa” command, there will be 150 SA defined.

I was trying to understand if te previous way mentioned, using policy based VPN, will use less SA and permit NAT to my source IP.

 

I really appreciate your help!

 

Best regards,

 

Bruno

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SA usage for many proxy-id

2 weeks ago

Bruno, 

 

My pleasure Smiley Happy

 

If this solves your problem, please mark this post as "Accepted Solution" Pura vida from Costa Rica Smiley Very Happy

 

Pablo Restrepo

Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Brn
2 weeks ago

Re: SA usage for many proxy-id

2 weeks ago
I was trying to understand if te previous way mentioned, using policy based VPN, will use less SA and permit NAT to my source IP.

No, the number of SA required are strictly determined by the number of ip address pairs needed for the vpn traffic to be sent.

 

If both sides are Juniper then you have the option of using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0 by default when creating a route based vpn on both sides.  This works with both ScreenOS or Junos.

 

Nat can be applied only on route based vpn.  So you could nat a number of subnets behind a nat and reduce the proxy-id pair.  In that case the ip address you use for nat is then used for the local side of the the pair and you drop all the subnets that are nated behind that address.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home